Privacy policy

The data controller is CCW Equipment Suppliers (Australia), operating CCW Online ERP. Contact for privacy requests: [email protected]. Commercial enquiries remain welcome at [email protected].

Where an ABN or registered entity name must appear on the public policy for your deployment, insert the verified legal entity and identifier in your production build.

• Account details such as name, email, role, and tenant identifiers used to operate the service.
• Business transaction data you enter or sync (orders, quotes, inventory, customers, suppliers).
• Technical and security metadata (for example device or browser characteristics, IP-derived region, auth events) to protect accounts and diagnose issues.
• Optional product analytics where enabled—governed by consent mechanisms when required (see roadmap in internal privacy architecture docs).

Depending on your configuration, data may be processed by infrastructure and integration partners including, without limitation: Supabase (database and auth), Anthropic (where AI Boardroom or similar features send prompts containing business metrics you choose to include), Stripe (billing), and connectors such as Cin7 or Xero when you connect them. Only connect integrations you authorise; each vendor maintains its own terms and privacy notices.

Retention follows operational and legal needs. Illustrative targets used in architecture planning: active account data for the life of the subscription; financial transaction records aligned with Australian Tax Office record-keeping expectations (often up to seven years); security logs on shorter rolling windows; integration debug logs on shorter horizons. Exact schedules should be enforced in your production data layer and documented after legal review.

Subject to applicable Australian privacy law, you may request access to, or correction of, personal information we hold. Deletion may be limited where law or legitimate business records require retention. Contact [email protected] with your tenant name and a description of the request.

Where a breach is likely to result in serious harm and meets statutory thresholds, we will follow the Australian Notifiable Data Breach scheme: assess, contain, notify the OAIC and affected individuals when required, and document the incident. Individuals may also complain to the Office of the Australian Information Commissioner (OAIC).

Where AI-assisted features are enabled, business metrics or text you submit may be sent to model providers (for example Anthropic) to generate in-product recommendations. Configure features and data shared in line with your governance policy. A dedicated in-product notice may appear near AI surfaces; this section supplements that experience.